Ransomware Roundup: 06.24.22

This week’s round up…

  • More than half of ransomware victims lose a client  
  • Ransomware does not think of the children
  • The other RaaS: Ransomware as a Smokescreen
  • Another manufacturer halted by ransomware
  • The extended legacy of the Colonial Pipeline attack, legislation

More than half of ransomware victims lose a client

Phil Hall of Westchester and Fairfield County journal reported on a survey that found more than half of the victims of a ransomware attack lost at least one client.

“The survey, which polled 300 ransomware victims, found only 11% of respondents reporting the ransomware payment was the most consequential impact of the ransom

ware attack,” Hall wrote.

Brand damage is cited as a cost of a successful ransomware attack, but the ultimate results of this have been somewhat ephemeral. This survey illustrates the consequences to reputation lost as a result of a breach.

Ransomware does not think of the children

The good news: 2021 saw a double-digit decrease by percentage in ransomware attacks against United States schools and colleges. The bad news: Despite this, ransomware still cost places of learning more than $3.5 billion (about $11 per person in the US) in that year alone.

“Schools districts have become a popular target for cyberattacks, particularly ransomware, in recent years due to the fact that many are running outdated computer systems and don't have the same financial or staffing resources for cybersecurity that many private companies do,” Bree Fowler wrote in CNET article.

The report, conducted by cybersecurity research firm Comparitech, was cautious about its rosier picture of 2022.

“Based on what has been reported already for the year, the downtime and recovery times are significantly lower than in previous years (just over two days and 22 days respectively). However, with the impact of attacks often not being felt/reported on accurately until months later, downtime figures may rise but it’s likely they will still be lower than previous years,” the researchers wrote in the report.

The other RaaS: Ransomware as a Smokescreen

Charlie Osborne at ZDNet reported on research conducted by SecureWorks that detailed HUI Loader, which is assumed to be the product of state-backed actors and has been found to deliver one of several strains of ransomware. The motivation behind deploying malware, however, is noteworthy.

“The victimology, short lifespan of each ransomware family, and access to malware used by government-sponsored threat groups suggest that BRONZE STARLIGHT’s main motivation may be intellectual property theft or cyberespionage rather than financial gain. The ransomware could distract incident responders from identifying the threat actors’ true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group,” the researchers wrote in the report.

Victims of the malicious actors include Brazilian pharmaceutical companies, a US media outlet, Japanese manufacturers and a major Indian organization's aerospace and defense division, according to Osborne.

Another manufacturer halted by ransomware

Automotive manufacturer Nichirin fell victim to a ransomware attack from an unnamed actor, reported Bill Toulas at Bleeping Computer. Threat groups often target factories because the scope of disruptions provides compelling “incentive” to pay the extortion fee.

Nichirin “moved operations into manual mode” reported Toulas and that customers should expect delays in receiving their orders. The company temporarily took its website offline while it determined the scope of the attack but is now focused on returning to full operation.

“In an official statement [PDF, Japanese] yesterday, Nichirin underlines that system recovery has been prioritized to resume business operations. The company is currently investigating how the unauthorized access happened and is trying to determine ‘the effects of information leakage’,” Toulas reported.

This is the second noteworthy attack to be featured in the Ransomware Roundup as Foxconn suffered a disruptions earlier this month.

The extended legacy of the Colonial Pipeline attack, legislation

United States President Joe Biden signed two pieces of legislation to help mitigate the results of events like the SolarWinds and Colonial Pipeline attacks, reported Martin Matishak at The Record.  

The State and Local Cybersecurity Act will empower the Cybersecurity and Infrastructure Security Agency to “provision of assistance and education related to cyber threat indicators, proactive and defensive measures and cybersecurity technologies, cybersecurity risks and vulnerabilities, incident response and management, analysis, and warnings.”

The Federal Rotational Cyber Workforce Program Act is intended to develop cybersecurity expertise in the federal government “in an effort to compete with the usually more lucrative private sector,” Matishak reported.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

Phil Hall at Westfair & Chester County Business Journals  for their reporting on Study: 60% of ransomware victims lost a client due to an attack.

Bree Fowler at CNET for their reporting on Ransomware Cost US Schools $3.56 Billion in 2021, Study Says.

Charlie Osborne at ZDNet for their reporting on These hackers are spreading ransomware as a distraction - to hide their cyber spying.

Bill Toulas at Bleeping Computer for their reporting on Automotive hose maker Nichirin hit by ransomware attack.

Martin Matishak at The Record by Recorded Future for their reporting on Biden signs a pair of cybersecurity bills into law.

Ransomware Roundup: 07.01.22

A conviction in the fight against ransomware, LockBit announces a bug bounty program (seriously) and ransomware is named the greatest cybersecurity threat - surprising no one.

Read the Blog
No items found.

This week’s round up…

  • It seems like a great side hustle … until it lands you in prison
  • The updated version of AstraLocker is looking for a quick payout
  • UK’s NCSC names the greatest cybersecurity threat of our times
  • Vice Society takes down a medical university
  • So, we found a reason to jeer at a bug bounty program
  • CISA offers warning about MedusaLocker

It seems like a great side hustle … until it lands you in prison

A ransomware affiliate pled guilty to charges in an all too rare instance of legal action against a cybercriminal. Jonathan Greig at The Record Reported that Canada extradited Sebastien Vachon-Desjardins of Quebec to the United States in March 2022 and worked with the NetWalker group to extort a company in Florida.

“United States Attorney for the Middle District of Florida Roger Handberg said Vachon-Desjardins has agreed to plead guilty to four charges: Conspiracy to Commit Computer Fraud, Conspiracy to Commit Wire Fraud, Intentional Damage to a Protected Computer and Transmitting a Demand in Relation to Damaging a Protected Computer,” Greig wrote.

It should be noted that Vachon-Desjardins cybercriminal enterprises were a side hustle and he worked fulltime – wait for it - "for the Canadian government as an IT employee while conducting ransomware attacks on behalf of NetWalker,” Greig reported.

A Canadian court sentenced Vachon-Desjardins to seven years in prison on separate charges in Feb. 2022.  

The updated version of AstraLocker is looking for a quick payout

Lindsey O’Donnell-Welch at Decipher by Duo reported on an updated version of the AstraLocker that can be delivered directly from infected Microsoft Office files. According to the article, the intent is “an unusually quick delivery method leading researchers to believe that the threat actor behind the ransomware is solely interested in making a big impact and receiving a quick payout.”  

“Typically, affiliate threat actors avoid pushing ransomware early, opting instead to push files that allow them to expand their reach within the target environment,” O'Donnell-Welch quoted Joseph Edwards, a researcher with ReversingLabs. “Ransomware almost invariably is deployed last, after compromising the victim's Domain Controller(s), which enables the cybercriminals to use the domain controller (for example: Active Directory) to deploy a group policy object and encrypt all hosts in the affected domains.”

UK’s NCSC names the greatest cybersecurity threat of our times

The United Kingdom’s National Cyber Security Centre declared ransomware the greatest global cybersecurity threat. Danny Palmer at ZDNet reported that “the volume of ransomware has risen significantly with the amount of detected activity in the first quarter of 2022 more than three times what was detected during the same period last year.”

"Even with a war raging in Ukraine – the biggest global cyber threat we still face is ransomware. That tells you something of the scale of the problem. Ransomware attacks strike hard and fast. They are evolving rapidly, they are all-pervasive, they're increasingly offered by gangs as a service, lowering the bar for entry into cyber crime," Palmer quoted Lindy Cameron, CEO of the NCSC.

Vice Society takes down a medical university

Vice Society – the group that claimed responsibility for extorting the Italian city of Palermo – scored another victim this week. Bill Toulas at Bleeping Computer reports that the cybercriminal group attacked the Medical University of Innsbruck, which “caused severe IT service disruption and the alleged theft of data.”

“On June 21, 2022, the university's IT team proceeded to reset all 3,400 students' and 2,200 employees' account passwords and called everyone to go through a manual process of personally collecting their new credentials.

“In the days that followed, the university gradually restored its online services and returned operations to its main site, which had previously been initially taken offline,” Toulas reported.

Vice Society have been particularly active lately, including “a college in the UK, a hospital in Italy, and two universities in the UK. This makes the Medical University of Innsbruck the fifth disclosed European victim of Vice in the past month” according to Toulas.

So, we found a reason to jeer at a bug bounty program

Usually, the launch of a bug bounty program is a cause for celebration. Unless a ransomware gang announces it, in which case … disgusting.

Adam Janofsky at The Record by Recorded Future reported that the LockBit gang recently released the third version of its ransomware and a new bug bounty program, which ostensibly seeks to crowdsource the improvement of the malware – again, disgusting.

“Although few details were provided about technical changes to the ransomware-as-a-service operation, the group said it was inviting all security researchers and hackers to participate in its bug bounty program, which allegedly offers rewards ranging from $1,000 to $1 million. The group is seeking website bugs, locker errors, and ideas to improve the group’s software, among other things. A $1 million bounty is reserved for discovering the true name of the affiliate program manager, known as LockBitSupp,” Janofsky reported.

CISA offers warning about MedusaLocker

The United States Cybersecurity & Infrastructure Agency (CISA) released an alert about MedusaLocker. The RaaS gang targets specific vulnerabilities and the CISA notice includes indicators of compromise, MITRE ATT&CK Techniques and mitigation details to enable organizations to reduce the risk of infection.

“Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks,” CISA wrote in the alert.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

Jonathan Greig at The Record - Recorded Future for their reporting on Netwalker ransomware affiliate agrees to plead guilty to hacking charges.  

Catalin Cimpanu at The Record - Recorded Future for their reporting on NetWalker ransomware affiliate sentenced to seven years in prison.

Lindsey O’Donnell-Welch at Deciper by Duo for their reporting on AstraLocker Ransomware Spread in ‘Smash and Grab’ Attacks.

Joseph Edwards at ReversingLabs  for their research on Smash-and-grab: AstraLocker 2.0 pushes ransomware direct from Office docs.

Danny Palmer at ZDNet for their reporting on Ransomware is the biggest global cyber threat. And the attacks are still evolving.

Bill Toulas at Bleeping Computer for their reporting on Vice Society claims ransomware attack on Med. University of Innsbruck.

Adam Janofsky at The Record - Recorded Future for their reporting on LockBit adds a bug bounty program in its revamped ransomware-as-a-service operation.

Cybersecurity & Infrastructure Security Agency for their #StopRansomware: MedusaLocker alert.

Ransomware Roundup: 07.22.22

Well, turns out Bandcai Namco got popped by BlackCat, patients trying to pay for their health procedures had their PII leaked, and June was a better month for ransomware defenders.

Read the Blog
No items found.

Welcome back to this week’s round up…

Ransom City Blues

Corin Faife at The Verge reports that a small Canadian town, St. Marys, Ontario has been hit by the LockBit group. According to the report, most of the essential services in the town of 7,500 were not impacted but screenshots from the leak site show possible impact to finance, health and safety, sewage treatment, property files and public works. St. Marys is unfortunately not alone in this recent spurt of LockBit activity as the town of Frederick, Colorado’s data is also listed as compromised by the group.

School of Hard Knocks

According to a recent Sophos survey of 5,600 IT workers representing 410 colleges and universities across the globe, nearly 75% of these institutions suffered from successful ransomware attacks.

This astounding statistic (unfortunately) shows that higher education institutions are a rich and profitable hunting ground for ransomware groups with a success rate greater than healthcare or even financial services. As attackers run up against better defenses in other market segments, they will look for targets that, for a variety of reasons, do not commit the necessary resources to protecting their infrastructure. If you’ve been in cybersecurity for long enough, this will not come as a surprise – even with specific education-centric discounted programs the adoption of new cybersecurity products and services in education has always lagged other segments.

Twisted Metal

As we’ve written about in previous Ransomware Roundups, ransomware targeting ESXi environments continues to grow.

While it’s one thing to ransom an endpoint, targeting bare-metal hypervisors that host multiple VMs or even clusters of hosts can have devastating results. DarkReading has an excellent roundup of the growth in Luna and BlackBasta that have cross-platform capabilities to target Windows, Linux and ESXi systems. VMware has disclosed several critical vulnerabilities this year that attackers have been taking advantage of.

It’s yet to be seen whether the targeting of ESXi is driven solely by the opportunity these vulns have provided or if these groups are intentionally going after a new and lucrative market segment.

Ransomware goes Freemium

Getting traction with a new product in a crowded market is always difficult, it’s why Product Led Growth (PLG) is such a hot topic with SaaS companies over the last few years. So, it only makes sense that an up-and-coming group would simply give their ransomware away for free, the stipulation being a higher cut on commission. With Redeemer 2.0’s release, the barrier for entry for anyone to kick off a ransomware campaign has never been lower. Plus, the group has stated if the adoption rate isn’t high enough, they’ll just open source the entire project. What a wonderful new world we’re living in.

Down the Drain

There are reports coming in that an organization that runs sewer systems in the Providence and Blackstone Valley areas of Rhode Island was hit by a yet-to-be-known cyberattack, rumored to be ransomware. While details are scant, the crossover from cyber into physical systems has seemingly been increasing in 2022. Be on the lookout next week, as more details come to light.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

https://www.theverge.com/2022/7/22/23274372/st-marys-canada-lockbit-ransomware-cyber-incident

Author: Corin Faife

https://assets.sophos.com/X24WTUEQ/at/pgvqxjrfq4kf7njrncc7b9jp/sophos-state-of-ransomware-education-2022-wp.pdf

Author: Sophos

https://www.darkreading.com/attacks-breaches/snowballing-ransomware-variants-highlight-growing-threat-to-vmware-esxi-environments

Author: Jai Vijayan

https://www.bleepingcomputer.com/news/security/new-redeemer-ransomware-version-promoted-on-hacker-forums/

Author: Bill Toulas

https://www.providencejournal.com/story/news/local/2022/07/16/ri-sewer-system-narragansett-bay-commission-hit-cyber-attack/10076978002/

Author: Paul Edward Parker

Ransomware Roundup: 07.15.22

Well, turns out Bandcai Namco got popped by BlackCat, patients trying to pay for their health procedures had their PII leaked, and June was a better month for ransomware defenders.

Read the Blog
No items found.

This week’s round up …

  • Doxxed: Because paying for that surgery wasn’t enough
  • BlackCat claims credit for Bandai Namco breach
  • Ransomware statistics for June are out, and it’s kind of encouraging (narrator: It is not)
  • A new player has joined the game: Lilith ransomware
  • From North Korea, with love

Doxxed: Because paying for that surgery wasn’t enough

Professional Finance Company issued a statement that a ransomware group was able to access databases holding personal information of patients at 657 healthcare organizations in Feb. 2022. PFC handles payments for many hospitals and the information includes names, addresses and Social Security numbers of account holders.

“PFC found no evidence that personal information has been specifically misused; however, it is possible that the following information could have been accessed by an unauthorized third party: first and last name, address, accounts receivable balance and information regarding payments made to accounts, and, in some cases, date of birth, social security number, and health insurance and medical treatment information,” the company wrote in a statement.

PFC states that they had notified the affected organizations and an investigation is ongoing. However, the Quantum ransomware group has been attributed to the attack.  

BlackCat claims credit for Bandai Namco breach

The malware intelligence group, vx-underground, posted a screenshot on their official Twitter account that shows the (ALPHV) BlackCat ransomware group seemingly taking credit for the Bandai Namco breach that occurred this week.

“On July 3, 2022, Bandai Namco Holdings Inc. confirmed that it experienced an unauthorized access by third party to the internal systems of several Group companies in Asian regions (excluding Japan). After we confirmed the unauthorized access, we have taken measures such as blocking access to the servers to prevent the damage from spreading. In addition, there is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about existence of leakage, scope of the damage, and investigating the cause,” the company wrote in an official statement.

Bandai Namco is a video game publisher of popular franchises such as Elden Ring, Soulcaliber and Dark Souls.

A new player has joined the game: Lilith ransomware

An independent malware hunter discovered a new ransomware operation, dubbed Lilith, that claimed its first victim in South Africa.

“Lilith is a C/C++ console-based ransomware discovered by JAMESWT and designed for 64-bit versions of Windows. Like most ransomware operations launching today, Lilith performs double-extortions attacks, which is when the threat actors steal data before encrypting devices,” reported Bill Toulas at Bleeping Computer.

Threat Intelligence firm Cyble published a report detailing the technical analysis of Lilith. Admittedly, the RaaS group is in the early days of operations but worth watching.  

From North Korea, with love

The Microsoft Threat Intelligence Security Center (MSTIC) released research detailing the HolyGh0st ransomware group (whom Microsoft tracks as DEV-0530), which has been active since 2021 and is reportedly acting out of North Korea. Attribution is notoriously fraught for malware researchers, but the MSTIC team provides compelling evidence.

“MSTIC assesses there is likely some overlap between DEV-0530 and PLUTONIUM. PLUTONIUM is a North Korean threat actor group affiliated with clusters of activity that are also known as DarkSeoul and Andariel. Active since at least 2014, PLUTONIUM has primarily targeted the energy and defense industries in India, South Korea, and the United States using a variety of tactics and techniques.

“MSTIC has observed known DEV-0530 email accounts communicating with known PLUTONIUM attacker accounts. MSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names,” the team wrote in their report.

HolyGh0st attempted to legitimize their activities by claiming to help increase victim organizations’ security posture but … you know, extortion.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

Jonathan Greig at The Record - Recorded Future for their reporting on Medical debt collection firm says ransomware attack exposed info on 650+ healthcare orgs and Bandai Namco confirms cyberattack after ransomware group threatens leak.  

Sergiu Gatlan at Bleeping Computer for their reporting on Quantum ransomware attack affects 657 healthcare orgs. 

Adam Janofsky at The Record - Recorded Future for their reporting on Ransomware tracker: the latest figures [July 2022].

vx-underground at for their research on vx-underground on Twitter: "ALPHV ransomware group (alternatively referred to as BlackCat ransomware group) claims to have ransomed Bandai Namco.

JAMESWT at for their reporting on JAMESWT on Twitter: "#Ransomware #Lilith.

Bill Toulas at Bleeping Computer for their reporting on New Lilith ransomware emerges with extortion site, lists first victim. 

Cyble for their research on New Ransomware Groups on the Rise.

Microsoft Threat Intelligence Center at Microsoft Threat Intelligence for their research on North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware - Microsoft Security Blog. 

The Halcyon Platform

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by offensive security experts to stop attackers. Our platform is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.

Ready to get a demo? Fill out the form and let’s talk!

Get a Demo

Meet with a Halcyon Anti-Ransomware Expert

Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.